Description
Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the latest release suppresses mentions when creating, unbanning, unwarning, kicking, muting, and unmuting, but stored warning reasons are still printed by /warns without mention suppression. A moderator can create a warning with @everyone or @here in the reason, then make the bot later output that reason through /warns, causing a mass ping if the bot has permission. This issue has been patched in version 1.1.6.
Published: 2026-06-12
Score: 2.1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows a moderator to embed @everyone or @here in a warning reason stored by the bot. When a moderator later invokes the /warns command, the stored reason is printed without mention suppression, causing the bot to trigger a mass ping. This can be used to spam or harass a Discord server, potentially disrupting conversations and triggering rate‑limit violations.

Affected Systems

Duck‑Organization Quest Bot is impacted; all releases prior to version 1.1.6 are vulnerable. The 1.1.6 release includes the patch that suppresses mentions in warning output. The vulnerability applies to any environment where the bot has permission to ping.

Risk and Exploitability

The CVSS score of 2.1 reflects low overall impact because the exploit requires moderator authority and relies on the bot’s ping capability. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers who control or can influence a moderator in a server with the bot can exploit this to generate unwanted mass pings, but the likelihood is limited to that role. The risk is mitigated by using the fixed version.

Generated by OpenCVE AI on June 12, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Quest Bot to version 1.1.6 or later.
  • Ensure that stored warning reasons are sanitized or that the /warns command is restricted to trusted roles only.
  • Disable or remove the bot’s ability to send mentions if not needed, or remove @everyone/@here from stored reasons.

Generated by OpenCVE AI on June 12, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Description Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the latest release suppresses mentions when creating, unbanning, unwarning, kicking, muting, and unmuting, but stored warning reasons are still printed by /warns without mention suppression. A moderator can create a warning with @everyone or @here in the reason, then make the bot later output that reason through /warns, causing a mass ping if the bot has permission. This issue has been patched in version 1.1.6.
Title Quest Bot: Stored warn reasons can still trigger bot-powered mass mentions through `/warns`.
Weaknesses CWE-116
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T13:43:22.689Z

Reserved: 2026-05-21T15:33:08.291Z

Link: CVE-2026-48485

cve-icon Vulnrichment

Updated: 2026-06-12T13:42:53.592Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T13:16:33.820

Modified: 2026-06-12T15:56:54.563

Link: CVE-2026-48485

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T13:30:27Z

Weaknesses
  • CWE-116

    Improper Encoding or Escaping of Output